X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fgames.js;h=24bfc82cb8c70586a112e7ce54131001ecbbf6a9;hb=dac395887d96e2d642b209c6db6aaacc3ffacb34;hp=a444acdf5127854e9d323a6fa4c46baff1278528;hpb=afd3240d89a2f6191fe9426960dc0c1667b40c77;p=vchess.git

diff --git a/server/routes/games.js b/server/routes/games.js
index a444acdf..24bfc82c 100644
--- a/server/routes/games.js
+++ b/server/routes/games.js
@@ -9,34 +9,45 @@ var params = require("../config/parameters");
 // From main hall, start game between players 0 and 1
 router.post("/games", access.logged, access.ajax, (req,res) => {
   const gameInfo = req.body.gameInfo;
-	if (!gameInfo.players.some(p => p.id == req.userId))
-		return res.json({errmsg: "Cannot start someone else's game"});
+  if (!Array.isArray(gameInfo.players) ||
+    !gameInfo.players.some(p => p.id == req.userId))
+  {
+    return res.json({errmsg: "Cannot start someone else's game"});
+  }
   const cid = req.body.cid;
+  // Check all entries of gameInfo + cid:
+  let error = GameModel.checkGameInfo(gameInfo);
+  if (!error)
+  {
+    if (!cid.toString().match(/^[0-9]+$/))
+      error = "Wrong challenge ID";
+  }
+  if (!!error)
+    return res.json({errmsg:error});
   ChallengeModel.remove(cid);
-	const fen = req.body.fen;
-	GameModel.create(
+  GameModel.create(
     gameInfo.vid, gameInfo.fen, gameInfo.timeControl, gameInfo.players,
-		(err,ret) => {
-			access.checkRequest(res, err, ret, "Cannot create game", () => {
+    (err,ret) => {
+      access.checkRequest(res, err, ret, "Cannot create game", () => {
         const oppIdx = (gameInfo.players[0].id == req.userId ? 1 : 0);
         const oppId = gameInfo.players[oppIdx].id;
         UserModel.tryNotify(oppId,
           "New game: " + params.siteURL + "/game/" + ret.gid);
-				res.json({gameId: ret.gid});
-			});
-		}
-	);
+        res.json({gameId: ret.gid});
+      });
+    }
+  );
 });
 
 router.get("/games", access.ajax, (req,res) => {
-	const gameId = req.query["gid"];
-	if (!!gameId)
+  const gameId = req.query["gid"];
+  if (!!gameId)
   {
     GameModel.getOne(gameId, (err,game) => {
-		  access.checkRequest(res, err, game, "Game not found", () => {
+      access.checkRequest(res, err, game, "Game not found", () => {
         res.json({game: game});
-		  });
-	  });
+      });
+    });
   }
   else
   {
@@ -44,10 +55,10 @@ router.get("/games", access.ajax, (req,res) => {
     const userId = req.query["uid"];
     const excluded = !!req.query["excluded"];
     GameModel.getByUser(userId, excluded, (err,games) => {
-			if (!!err)
+      if (!!err)
         return res.json({errmsg: err.errmsg || err.toString()});
-			res.json({games: games});
-	  });
+      res.json({games: games});
+    });
   }
 });
 
@@ -55,9 +66,15 @@ router.get("/games", access.ajax, (req,res) => {
 // TODO: if newmove fail, takeback in GUI
 router.put("/games", access.logged, access.ajax, (req,res) => {
   const gid = req.body.gid;
-	const obj = req.body.newObj;
-	GameModel.update(gid, obj, (err) => {
-		if (!!err)
+  let error = "";
+  if (!gid.toString().match(/^[0-9]+$/))
+    error = "Wrong game ID";
+  const obj = req.body.newObj;
+  error = GameModel.checkGameUpdate(obj);
+  if (!!error)
+    return res.json({errmsg: error});
+  GameModel.update(gid, obj, (err) => {
+    if (!!err)
       return res.json(err);
     // Notify opponent if he enabled notifications:
     GameModel.getPlayers(gid, (err2,players) => {
@@ -68,7 +85,7 @@ router.put("/games", access.logged, access.ajax, (req,res) => {
         "New move in game: " + params.siteURL + "/game/" + gid);
     });
     res.json({});
-	});
+  });
 });
 
 module.exports = router;